3 Ways to Prevent XSS

3 Ways to Prevent XSS

- in Tech
195
Comments Off on 3 Ways to Prevent XSS

There are vulnerabilities that are common and less harmful, rare and very harmful and those that are common but dangerous. XSS is an example of a common and destructive vulnerability.It enables the attacker to see and do everything like a user and the worst part is that the user won’t be aware of it. XSS attack works by deceiving an application to send a malicious script through the browser by making it believe that it has originated from a trusted source, which downloads and executes it whenever a user accesses the affected page. Usually, the attacker captures the cookies and session tokens to seize the user sessions and spread the malicious Javascript.

Types of XSS attacks:

  1. Sorted(persistent) XSS-Injection of malicious scripts into a vulnerable application.
  2. Reflected XSS-Reflects the malicious code to a link in the webpage, which is triggered once the user clicks the link.

Prevention:

  1. Escaping user input:

It is to ensure the data safety before being presented to the user. This is achieved by restricting interpretation of the key characters in a malicious way by a web page.
It is better to avoid the HTML, URL, and JavaScript entities when a webpage doesn’t let the users append their own code but if it lets users add text to forums, post comments, then one has to selectively escape from some HTML entities or else escape all of them by using raw HTML like Markdown.

  1. Input validation:

This ensures prevention of XSS in forms by restricting a user to add special characters to the fields. It helps in rendering the right data, thus reducing chances of malicious data harming the site, database and the users.

Blacklisting prevents certain bad characters from being entered and whitelisting allows only good characters to be entered, significantly reducing XSS attacks.

  1. Sanitizing user input:

This is a defense technique that is suitable for sites that allow HTML markup.It works by removing the potentially harmful markup, converting the unacceptable input of the user to an acceptable format, thus making the data safe for the users.

The best way to eliminate XSS is to use various methods together like, code review, automated static testing during development and dynamic testing and secure coding practices.